webmcp
diff framework/env/request/set_csrf_secret.lua @ 0:9fdfb27f8e67
Version 1.0.0
| author | jbe/bsw | 
|---|---|
| date | Sun Oct 25 12:00:00 2009 +0100 (2009-10-25) | 
| parents | |
| children | 32ec28229bb5 | 
   line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/framework/env/request/set_csrf_secret.lua Sun Oct 25 12:00:00 2009 +0100 1.3 @@ -0,0 +1,18 @@ 1.4 +--[[-- 1.5 +request.set_csrf_secret( 1.6 + secret -- secret random string 1.7 +) 1.8 + 1.9 +Sets a secret string to be used as protection against cross-site request forgery attempts. This string will be transmitted to each action via a hidden form field named "_webmcp_csrf_secret". If this function is called during an action, and there is no CGI GET/POST parameter "_webmcp_csrf_secret" already being set to the given secret, then an error will be thrown to prohibit execution of the action. 1.10 + 1.11 +--]]-- 1.12 + 1.13 +function request.set_csrf_secret(secret) 1.14 + if 1.15 + request.get_action() and 1.16 + cgi.params._webmcp_csrf_secret ~= secret 1.17 + then 1.18 + error("Cross-Site Request Forgery attempt detected"); 1.19 + end 1.20 + request._csrf_secret = secret 1.21 +end